Contents

Windows Communication Foundation comes with a rich set of security features such as transport level message and transport with message; each security type has its own advantages and overheads as well. My application has lots of diverse clients used to connect with the service, and they have to be authenticated from the database, so the best possible solution is message level security using custom username - password authentication. After digging in to the net, I found pieces of information, and with some effort, I implemented a concrete solution which I am hoping is helpful for others.

This class must be derived from System.IdentityModel.Selectors.UserNamePasswordValidator and override the Validate method. And to validate the user, use any data source; in this example, we will use a hard coded value.

Creating the web application

Add a reference to the service in the web application. Add a text file and rename it to UserNamePassService.svc, and add the following line of code:

Add a service behavior and name it Behavior1. Enable the service meta data by adding <serviceMetadata httpGetEnabled="true"/> so that when we add a service reference into the client application, it fetched the information and creates the proxy classes for us. And the essential part is the service certificate. Certificate creation will be covered in a later section, but now, we have to remember the certificate settings. FindValye="MyWebSite" will be the subject for the certificate CN=MyWebSite, and you can change this value to your domain name or project name.

Set the usernamepasswordvalidation mode to custom, and customUsernameapsswordValidator has to be specify the custom validation class and namespace.

Now we will set up the service endpoint. There are two endpoints: wsHttp endpoint, and Mex end point for metadata exchange. The base address is http://localhost/. The fully qualified service address will be http://localhost/UserNamePassService.svc.

Note: if the website is going to be hosted on a specific port in IIS, as in this example, we have hosted the website in IIS on port 83, http://localhost:83/UserNamePassService.svc, we don't need to change the port in the configuration file and leave the baseAddress as "http://localhost/".

Download the Pluralsight SelfCert from the link given at the beginning of the article. Run the tool as Administrator; otherwise, it will crash.

Configure the settings to install the certificate; refer the screen below.

After making the required changes, click the Save button and then you will see the screen below:

After the installation of the certificate, browse the site again, but this time, you should see a different error as shown in the screen below:

This error means that the default application pool does not have access rights to the certificate's private key, so now, we have to give read access to the default application pool to do this.

Download WinHttpCertCfg.exe from the link given at the beginning of the article. This tool is a command line tool. After installing the tool, run the following command on the command prompt as Administrator.

Running the client from another PC to make sure everything works fine:

Conclusion

I 'm sure this project will be useful for developers who want to implement custom security. I tried my best to describe each step with a screenshot. I hope you've enjoyed this article. If you like this article, please let me know . If you have any questions, please feel free to contact me at fayaziiui@gmail.com.